85 lines
3.4 KiB
Plaintext
85 lines
3.4 KiB
Plaintext
https://www.w3.org/TR/permissions/#powerful-feature[Powerful features] are browser features (geolocation, camera, microphone ...) that can be accessed with JavaScript API and may require a permission granted by the user. These features can have a high impact on privacy and user security thus they should only be used if they are really necessary to implement the critical parts of an application.
|
|
|
|
|
|
This rule highlights intrusive permissions when requested with https://developer.mozilla.org/en-US/docs/Web/API/Permissions/query[the future standard (but currently experimental) web browser query API] and specific APIs related to the permission. It is highly recommended to customize this rule with the permissions considered as intrusive in the context of the web application.
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* Some powerful features used by the application are not really necessary.
|
|
* Users are not clearly informed why and when powerful features are used by the application.
|
|
|
|
You are at risk if you answered yes to any of those questions.
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
* In order to respect user privacy it is recommended to avoid using intrusive powerful features.
|
|
|
|
== Sensitive Code Example
|
|
|
|
When using https://developer.mozilla.org/en-US/docs/Web/API/Geolocation_API[geolocation API], Firefox for example retrieves personal information like nearby wireless access points and IP address and sends it to the default geolocation service provider, https://www.google.com/privacy/lsf.html[Google Location Services]:
|
|
|
|
----
|
|
navigator.permissions.query({name:"geolocation"}).then(function(result) {
|
|
}); // Sensitive: geolocation is a powerful feature with high privacy concerns
|
|
|
|
navigator.geolocation.getCurrentPosition(function(position) {
|
|
console.log("coordinates x="+position.coords.latitude+" and y="+position.coords.longitude);
|
|
}); // Sensitive: geolocation is a powerful feature with high privacy concerns
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
If geolocation is required, always explain to the user why the application needs it and prefer requesting an approximate location when possible:
|
|
|
|
[source,javascript]
|
|
----
|
|
<html>
|
|
<head>
|
|
<title>
|
|
Retailer website example
|
|
</title>
|
|
</head>
|
|
<body>
|
|
Type a city, street or zip code where you want to retrieve the closest retail locations of our products:
|
|
<form method=post>
|
|
<input type=text value="New York"> <!-- Compliant -->
|
|
</form>
|
|
</body>
|
|
</html>
|
|
----
|
|
|
|
== See
|
|
|
|
* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
|
|
* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Web Top 10 2017 Category A3 - Sensitive Data Exposure]
|
|
* CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges]
|
|
* CWE - https://cwe.mitre.org/data/definitions/359[CWE-359 - Exposure of Private Information]
|
|
* https://www.w3.org/TR/permissions/[W3C] - Permissions
|
|
* https://support.mozilla.org/en-US/kb/does-firefox-share-my-location-websites[Mozilla] - Does Firefox share my location with websites?
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Make sure the use of [xxx] is necessary.
|
|
|
|
|
|
=== Parameters
|
|
|
|
.permissions
|
|
****
|
|
_string_
|
|
|
|
----
|
|
geolocation
|
|
----
|
|
|
|
Comma-separated list of intrusive permissions to report (supported values: geolocation, camera, microphone, notifications, persistent-storage)
|
|
****
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|